An idea for Role Based Access Control
Rate Topic:

I want to listen your opinion about my Role Based Access Control for Yii.
Actually, I love the idea of RBAC in Yii described here http://www.yiiframew...-access-control but I have a question: Why do I have to remember all those role names I've created and why I should verify permissions manually for each piece of code? I'm quite sure that Model should only be modified with correponding Controller Actions. So why not to have permissions and roles closely tied to my controllers and their actions. And let Yii automatically verify user permissions to access that or other action.

So I've started with a database schema (MySQL):

1)

As you can see each user can have multiple roles. Each role can have multiple permissions. Each permission allows access to corresponding controller/action pair. Also permissions can have business rule associated with it. Business rule is a simple piece of PHP code. For example here is a permission that will allow user to update his own profile (crud generated UsersController class will have a method called loadUser() to load current instance of 'User' model):

And that's all! Mostly... I thought it would be good to have an yiic shell command that will be able to create/update/delete/grant/revoke/search permissions, users and roles. I've called it 'rbac', here is its code on PasteBin: http://paste2.org/p/153298

(code also in attachment, put it into /protected/command/shell folder)
and here is a sample console session

Attached File(s)

This looks very nice! I think it is quite useful. You should share it as an extension.

The RBAC implemented in Yii is a generic one that is not tied with MVC. I also believe you can implement the access control you did here on top of the Yii RBAC (e.g. use controller+action as operation IDs)

Hi, surely you can. You will need to create a separate permission named "update my section" and this permission should have a bizrule attached.
The actual PP code in the bizrule will depend on your application, but it may be something like:

I have attached the blog demo from Yii 1.0.2, where I added the Rbac-extension. There are two user: admin/admin and demo/demo. admin has full rights, demo has only the right to create and update his own posts, but not to delete them.

In a week or so I'm going to upload heavily modified code. It will be a configurable Yii module, with own login/logout/signup/passwordForgot features and admin interface for managing roles, permissions and users.

In a week or so I'm going to upload heavily modified code. It will be a configurable Yii module, with own login/logout/signup/passwordForgot features and admin interface for managing roles, permissions and users.